In 2018, NTIA launched its Multistakeholder Process on Software Component Transparency, bringing together an active, engaged community to formulate and establish a software bill of materials (SBOM) – a nested inventory that makes up the “ingredients list” for software.
The stakeholders in our process initially focused on defining the problem: the what, the why, and the how of software component transparency. They established common, consensus definitions, and emphasized the importance of a "baseline" SBOM.
Experts from the healthcare and medical device community stepped up early in the process to demonstrate that this idea was both feasible and useful for their industry. They launched the first SBOM "proof of concept," sharing their experiences, successes, and challenges in public documentation from which the broader community could learn.
Next, the community shifted its efforts to jumping technical hurdles, as well as identifying existing tools and gaps in the ecosystem.
They emphasized a mantra of "crawl, then walk, then run" to promote adoption across the ecosystem. They developed videos to help educate the public.
Along the way, what was an obscure idea became a key part of the global agenda around securing software supply chains.
Last year, stakeholders in our process released a series of documents that mark the conclusion of their efforts. But as they say: “This is the end of the beginning.” SBOM has real momentum behind it, and organizations across government and industry are taking up the cause.
The importance of SBOM was recognized in the early 2021 Cybersecurity Executive Order, which directed NTIA to publish “minimum elements” for an SBOM. NTIA quickly followed in July with minimum elements, comprised of three broad, interrelated areas including data fields, automation support, and practices and processes. SBOM minimum elements will enable basic use cases, such as management of vulnerabilities, software inventory, and licenses.
Importantly, SBOM is foundational to driving software assurance and supply chain risk management. We are continuing to engage as the U.S. government works on new language for the Federal Acquisition Regulation focusing on cybersecurity and incident reporting. Earlier this month, the White House convened a meeting on software security, where participants discussed ways to accelerate and improve the use of SBOM.
Meanwhile, the business case for SBOM is solidifying. The recently identified log4j utility flaw, a remote code execution vulnerability that enables hackers to execute arbitrary code and take full control of vulnerable devices, created thousands of other vulnerabilities in downstream applications. Enterprises using SBOM quickly determined whether the log4j utility was in their software packages – and where it was located – enabling them to quickly isolate and remediate the vulnerability.
NTIA will continue to promote SBOM in our supply chain work. With virtualized communications ecosystems expanding and improving our 5G footprint, transparency in software will be an important building block for security.
Throughout its software transparency process, NTIA has emphasized optimism, skepticism, and an understanding of the marketplace to foster measured but constant progress.
The success of our multistakeholder process demonstrates the value of this approach to tackling key cybersecurity challenges. The careful inclusion of a diverse and representative set of stakeholders allowed progress without advancing too far too fast.
We look forward to building on SBOM success and engaging with the broad cybersecurity community to bring this model into regular practice across the software landscape.